Knowing your Shell

Theory

Upon gaining access to a Windows target, such as after exploiting a command injection vulnerability in a web service, the exact type of shell might not always be immediately evident. This section delves into specific tricks to discern the type of shell (CMD or PowerShell) and even determine the architecture of the process (x32 or x64).

Understanding these aspects is crucial, especially when tailoring specific techniques, payloads , or powershell exploits for successful execution.

Practice

Detecting Shell Type

To detect whether the current shell is CMD or PowerShell, a simple trick can be employed. Executing the following command:

# Echo whether the current shell is CMD or PowerShell
(dir 2>&1 *`|echo CMD);&<# rem #>echo PowerShell

Detecting PowerShell Architecture:

identifying the architecture of PowerShell being used (whether it's 32-bit or 64-bit) holds significance in certain scenarios, such when dealing with powershell exploits.

The following command will outputs a Boolean value, indicating whether the current PowerShell process is running in a 64-bit environment.

[Environment]::Is64BitProcess

Last updated 2 years ago

hashtagTheory

hashtagPractice

hashtagDetecting Shell Type

hashtagDetecting PowerShell Architecture:

Theory

Practice

Detecting Shell Type

Detecting PowerShell Architecture: